[Ach] git - cipher suites - proxy - thoughts
christian mock
cm at coretec.at
Wed Nov 20 17:48:03 CET 2013
On Wed, Nov 20, 2013 at 03:07:03PM +0100, Ulrich Poeschl wrote:
> what I never thought about, was checking the ssl-connection that the
> proxy-appliance then negotiates with the real destination and I think
> that should be a point worth mentioning in the paper. you can have the
> newest shiny browser on your client, but if the intercepting proxy
> negotiates weak crypto you loose again AND: you won't notice it.
Definitely worth mentioning. I sniffed our Checkpoint FW-1 this week
and saw the following:
Cipher Suites:
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Unknown (0x01ff)
Ouch! (And you may now start putting on your tin foil hats WRT 0x01ff
and the Mossad ;-)
cm.
--
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
http://heise.de/-1260559
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
More information about the Ach
mailing list